1 LIST

author: Your Name <you@example.com> 2017-09-19 18:48:37 -0400
committer: Your Name <you@example.com> 2017-09-19 18:48:37 -0400
commit: cbbfcfd59519c555c8e4a347bf0d4e20ab717cd5 (patch)
tree: e45042ed1ea7db24f79ea658cc626cd03a994952 /etc
parent: Merge pull request #1555 from SpotComms/upstream (diff)
download: firejail-cbbfcfd59519c555c8e4a347bf0d4e20ab717cd5.tar.gz
firejail-cbbfcfd59519c555c8e4a347bf0d4e20ab717cd5.tar.zst
firejail-cbbfcfd59519c555c8e4a347bf0d4e20ab717cd5.zip
22 files changed, 203 insertions, 6 deletions
diff --git a/etc/7z.profile b/etc/7z.profile
index ea67bbe19..53900bae6 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -17,6 +17,7 @@ notv
 novideo
 shell none
 tracelog
+caps.drop all
 private-dev
diff --git a/etc/atom.profile b/etc/atom.profile
index 8629c3dd8..6fb6048b6 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -5,6 +5,8 @@ include /etc/firejail/atom.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+noexec ${HOME}
+noexec /tmp
 noblacklist ~/.atom
 noblacklist ~/.config/Atom
@@ -23,6 +25,7 @@ notv
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+net none
 shell none
 private-dev
diff --git a/etc/calligra.profile b/etc/calligra.profile
index e90c8efe8..8c7e49121 100644
--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -21,9 +21,10 @@ novideo
 protocol unix
 seccomp
 shell none
+net none
 private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch
 private-dev
-noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
diff --git a/etc/cin.profile b/etc/cin.profile
index eeeda476f..93a94c910 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -24,7 +24,7 @@ protocol unix
 seccomp
 shell none
-#private-bin cin
+private-bin cin
 private-dev
 noexec ${HOME}
diff --git a/etc/cinelerra.profile b/etc/cinelerra.profile
new file mode 100644
index 000000000..bd75a66a9
--- /dev/null
+++ b/etc/cinelerra.profile
@@ -0,0 +1,31 @@
+# Firejail profile for cin
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/cin.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.bcast
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+notv
+noroot
+protocol unix
+seccomp
+shell none
+private-bin cinelerra
+private-dev
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/cliqz.profile b/etc/cliqz.profile
new file mode 100644
index 000000000..9c0f44e97
--- /dev/null
+++ b/etc/cliqz.profile
@@ -0,0 +1,83 @@
+# Firejail profile for firefox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/firefox.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ~/.cache/cliqz
+noblacklist ~/.config/cliqz
+noblacklist ~/.config/okularpartrc
+noblacklist ~/.config/okularrc
+noblacklist ~/.config/qpdfview
+noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.kde/share/config/okularpartrc
+noblacklist ~/.kde/share/config/okularrc
+noblacklist ~/.kde4/share/apps/okular
+noblacklist ~/.kde4/share/config/okularpartrc
+noblacklist ~/.kde4/share/config/okularrc
+noblacklist ~/.local/share/gnome-shell/extensions
+noblacklist ~/.local/share/okular
+noblacklist ~/.local/share/qpdfview
+noblacklist ~/.pki
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+mkdir ~/.cache/mozilla/firefox
+mkdir ~/.mozilla
+mkdir ~/.pki
+whitelist ${DOWNLOADS}
+whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.cache/mozilla/firefox
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.config/okularpartrc
+whitelist ~/.config/okularrc
+whitelist ~/.config/pipelight-silverlight5.1
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/qpdfview
+whitelist ~/.kde/share/apps/okular
+whitelist ~/.kde/share/config/okularpartrc
+whitelist ~/.kde/share/config/okularrc
+whitelist ~/.kde4/share/apps/okular
+whitelist ~/.kde4/share/config/okularpartrc
+whitelist ~/.kde4/share/config/okularrc
+whitelist ~/.keysnail.js
+whitelist ~/.lastpass
+whitelist ~/.local/share/gnome-shell/extensions
+whitelist ~/.local/share/okular
+whitelist ~/.local/share/qpdfview
+whitelist ~/.mozilla
+whitelist ~/.pentadactyl
+whitelist ~/.pentadactylrc
+whitelist ~/.pki
+whitelist ~/.vimperator
+whitelist ~/.vimperatorrc
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.zotero
+whitelist ~/dwhelper
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+# private-bin firefox,which,sh,dbus-launch,dbus-send,env
+private-dev
+# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/dia.profile b/etc/dia.profile
index abe83ac8c..6915318c0 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -25,6 +25,7 @@ novideo
 protocol unix
 seccomp
 shell none
+net none
 disable-mnt
 #private-bin dia
diff --git a/etc/evince.profile b/etc/evince.profile
index f503b9a8e..5e7596352 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -28,6 +28,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+net none
 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
diff --git a/etc/hugin.profile b/etc/hugin.profile
index ff88e0d5c..dd7e326c6 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -24,6 +24,7 @@ novideo
 protocol unix
 seccomp
 shell none
+net none
 private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend
 private-dev
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index c062ab8ef..04c1020ab 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -27,7 +27,7 @@ protocol unix
 seccomp
 shell none
-#private-bin inkscape
+private-bin inkscape,potrace
 private-dev
 private-tmp
diff --git a/etc/inox.profile b/etc/inox.profile
index 6273c4de6..ec8d12387 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -24,3 +24,7 @@ include /etc/firejail/whitelist-common.inc
 netfilter
 nodvd
 notv
+nogroups
+noroot
+shell none
+caps.keep sys_chroot,sys_admin
+\ No newline at end of file
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index a1a5f957c..10c2909a0 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -26,5 +26,5 @@ private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvda
 private-dev
 #private-etc fonts,alternatives,X11,pulse,passwd
-noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 8d05a557c..9acdc3789 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -27,6 +27,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
+net none
 private-dev
diff --git a/etc/natron.profile b/etc/natron.profile
index d77539d83..b76649605 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -26,6 +26,7 @@ notv
 protocol unix,inet,inet6
 seccomp
 shell none
+net none
 private-bin natron,Natron,NatronRenderer
diff --git a/etc/openshot-qt.profile b/etc/openshot-qt.profile
new file mode 100644
index 000000000..02f4665d6
--- /dev/null
+++ b/etc/openshot-qt.profile
@@ -0,0 +1,31 @@
+# Firejail profile for openshot
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/openshot.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.openshot
+noblacklist ${HOME}/.openshot_qt
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/pinta.profile b/etc/pinta.profile
new file mode 100644
index 000000000..2562e1b80
--- /dev/null
+++ b/etc/pinta.profile
@@ -0,0 +1,33 @@
+# Firejail profile for krita
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/krita.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+private-tmp
+whitelist  ~/.config/Pinta
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/scribus.profile b/etc/scribus.profile
index dd06fa59f..a6e86a7d6 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -36,6 +36,7 @@ notv
 novideo
 protocol unix
 seccomp
+net none
 tracelog
 #private-bin scribus,gs
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index e30bc1f46..4e8b1da05 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -27,5 +27,5 @@ shell none
 #private-bin shotcut,melt,qmelt,nice
 private-dev
-noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index b0014ace6..1758659f2 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -25,8 +25,9 @@ novideo
 protocol unix
 seccomp
 shell none
+net none
-#private-bin synfigstudio
+#private-bin synfigstudio,synfig,ffmpeg
 private-dev
 private-tmp
diff --git a/etc/tar.profile b/etc/tar.profile
index f14894c25..6ac530b15 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -18,6 +18,7 @@ notv
 novideo
 shell none
 tracelog
+caps.drop all
 # support compressed archives
 private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 12559a721..881572521 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -18,6 +18,7 @@ notv
 novideo
 shell none
 tracelog
+caps.drop all
 private-bin unrar
 private-dev
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 9828fa9b4..f913385fb 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -18,6 +18,7 @@ notv
 novideo
 shell none
 tracelog
+caps.drop all
 private-bin unzip
 private-dev
author	Your Name <you@example.com>	2017-09-19 18:48:37 -0400
committer	Your Name <you@example.com>	2017-09-19 18:48:37 -0400
commit	cbbfcfd59519c555c8e4a347bf0d4e20ab717cd5 (patch)
tree	e45042ed1ea7db24f79ea658cc626cd03a994952 /etc
parent	Merge pull request #1555 from SpotComms/upstream (diff)
download	firejail-cbbfcfd59519c555c8e4a347bf0d4e20ab717cd5.tar.gz firejail-cbbfcfd59519c555c8e4a347bf0d4e20ab717cd5.tar.zst firejail-cbbfcfd59519c555c8e4a347bf0d4e20ab717cd5.zip

diff --git a/etc/7z.profile b/etc/7z.profile index ea67bbe19..53900bae6 100644 --- a/etc/7z.profile +++ b/etc/7z.profile
@@ -17,6 +17,7 @@ notv
17	novideo	17	novideo
18	shell none	18	shell none
19	tracelog	19	tracelog
		20	caps.drop all
20		21
21	private-dev	22	private-dev
22		23


diff --git a/etc/atom.profile b/etc/atom.profile index 8629c3dd8..6fb6048b6 100644 --- a/etc/atom.profile +++ b/etc/atom.profile
@@ -5,6 +5,8 @@ include /etc/firejail/atom.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7
		8	noexec ${HOME}
		9	noexec /tmp
8	noblacklist ~/.atom	10	noblacklist ~/.atom
9	noblacklist ~/.config/Atom	11	noblacklist ~/.config/Atom
10		12
@@ -23,6 +25,7 @@ notv
23	novideo	25	novideo
24	protocol unix,inet,inet6,netlink	26	protocol unix,inet,inet6,netlink
25	seccomp	27	seccomp
		28	net none
26	shell none	29	shell none
27		30
28	private-dev	31	private-dev


diff --git a/etc/calligra.profile b/etc/calligra.profile index e90c8efe8..8c7e49121 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile
@@ -21,9 +21,10 @@ novideo
21	protocol unix	21	protocol unix
22	seccomp	22	seccomp
23	shell none	23	shell none
		24	net none
24		25
25	private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch	26	private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch
26	private-dev	27	private-dev
27		28
28	noexec ${HOME}	29	#noexec ${HOME}
29	noexec /tmp	30	noexec /tmp


diff --git a/etc/cin.profile b/etc/cin.profile index eeeda476f..93a94c910 100644 --- a/etc/cin.profile +++ b/etc/cin.profile
@@ -24,7 +24,7 @@ protocol unix
24	seccomp	24	seccomp
25	shell none	25	shell none
26		26
27	#private-bin cin	27	private-bin cin
28	private-dev	28	private-dev
29		29
30	noexec ${HOME}	30	noexec ${HOME}


diff --git a/etc/cinelerra.profile b/etc/cinelerra.profile new file mode 100644 index 000000000..bd75a66a9 --- /dev/null +++ b/etc/cinelerra.profile
@@ -0,0 +1,31 @@
		1	# Firejail profile for cin
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/cin.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ${HOME}/.bcast
		9
		10	include /etc/firejail/disable-common.inc
		11	include /etc/firejail/disable-devel.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-programs.inc
		14
		15	caps.drop all
		16	ipc-namespace
		17	net none
		18	nodvd
		19	nogroups
		20	nonewprivs
		21	notv
		22	noroot
		23	protocol unix
		24	seccomp
		25	shell none
		26
		27	private-bin cinelerra
		28	private-dev
		29
		30	noexec ${HOME}
		31	noexec /tmp


diff --git a/etc/cliqz.profile b/etc/cliqz.profile new file mode 100644 index 000000000..9c0f44e97 --- /dev/null +++ b/etc/cliqz.profile
@@ -0,0 +1,83 @@
		1	# Firejail profile for firefox
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/firefox.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ~/.cache/cliqz
		9	noblacklist ~/.config/cliqz
		10	noblacklist ~/.config/okularpartrc
		11	noblacklist ~/.config/okularrc
		12	noblacklist ~/.config/qpdfview
		13	noblacklist ~/.kde/share/apps/okular
		14	noblacklist ~/.kde/share/config/okularpartrc
		15	noblacklist ~/.kde/share/config/okularrc
		16	noblacklist ~/.kde4/share/apps/okular
		17	noblacklist ~/.kde4/share/config/okularpartrc
		18	noblacklist ~/.kde4/share/config/okularrc
		19	noblacklist ~/.local/share/gnome-shell/extensions
		20	noblacklist ~/.local/share/okular
		21	noblacklist ~/.local/share/qpdfview
		22
		23	noblacklist ~/.pki
		24
		25	include /etc/firejail/disable-common.inc
		26	include /etc/firejail/disable-devel.inc
		27	include /etc/firejail/disable-programs.inc
		28
		29	mkdir ~/.cache/mozilla/firefox
		30	mkdir ~/.mozilla
		31	mkdir ~/.pki
		32	whitelist ${DOWNLOADS}
		33	whitelist ~/.cache/gnome-mplayer/plugin
		34	whitelist ~/.cache/mozilla/firefox
		35	whitelist ~/.config/gnome-mplayer
		36	whitelist ~/.config/okularpartrc
		37	whitelist ~/.config/okularrc
		38	whitelist ~/.config/pipelight-silverlight5.1
		39	whitelist ~/.config/pipelight-widevine
		40	whitelist ~/.config/qpdfview
		41	whitelist ~/.kde/share/apps/okular
		42	whitelist ~/.kde/share/config/okularpartrc
		43	whitelist ~/.kde/share/config/okularrc
		44	whitelist ~/.kde4/share/apps/okular
		45	whitelist ~/.kde4/share/config/okularpartrc
		46	whitelist ~/.kde4/share/config/okularrc
		47	whitelist ~/.keysnail.js
		48	whitelist ~/.lastpass
		49	whitelist ~/.local/share/gnome-shell/extensions
		50	whitelist ~/.local/share/okular
		51	whitelist ~/.local/share/qpdfview
		52	whitelist ~/.mozilla
		53	whitelist ~/.pentadactyl
		54	whitelist ~/.pentadactylrc
		55	whitelist ~/.pki
		56	whitelist ~/.vimperator
		57	whitelist ~/.vimperatorrc
		58	whitelist ~/.wine-pipelight
		59	whitelist ~/.wine-pipelight64
		60	whitelist ~/.zotero
		61	whitelist ~/dwhelper
		62	include /etc/firejail/whitelist-common.inc
		63	include /etc/firejail/whitelist-var-common.inc
		64
		65	caps.drop all
		66	netfilter
		67	nodvd
		68	nogroups
		69	nonewprivs
		70	noroot
		71	notv
		72	protocol unix,inet,inet6,netlink
		73	seccomp
		74	shell none
		75	tracelog
		76
		77	# private-bin firefox,which,sh,dbus-launch,dbus-send,env
		78	private-dev
		79	# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
		80	private-tmp
		81
		82	noexec ${HOME}
		83	noexec /tmp


diff --git a/etc/dia.profile b/etc/dia.profile index abe83ac8c..6915318c0 100644 --- a/etc/dia.profile +++ b/etc/dia.profile
@@ -25,6 +25,7 @@ novideo
25	protocol unix	25	protocol unix
26	seccomp	26	seccomp
27	shell none	27	shell none
		28	net none
28		29
29	disable-mnt	30	disable-mnt
30	#private-bin dia	31	#private-bin dia


diff --git a/etc/evince.profile b/etc/evince.profile index f503b9a8e..5e7596352 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -28,6 +28,7 @@ protocol unix
28	seccomp	28	seccomp
29	shell none	29	shell none
30	tracelog	30	tracelog
		31	net none
31		32
32	private-bin evince,evince-previewer,evince-thumbnailer	33	private-bin evince,evince-previewer,evince-thumbnailer
33	private-dev	34	private-dev


diff --git a/etc/hugin.profile b/etc/hugin.profile index ff88e0d5c..dd7e326c6 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile
@@ -24,6 +24,7 @@ novideo
24	protocol unix	24	protocol unix
25	seccomp	25	seccomp
26	shell none	26	shell none
		27	net none
27		28
28	private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend	29	private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend
29	private-dev	30	private-dev


diff --git a/etc/inkscape.profile b/etc/inkscape.profile index c062ab8ef..04c1020ab 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile
@@ -27,7 +27,7 @@ protocol unix
27	seccomp	27	seccomp
28	shell none	28	shell none
29		29
30	#private-bin inkscape	30	private-bin inkscape,potrace
31	private-dev	31	private-dev
32	private-tmp	32	private-tmp
33		33


diff --git a/etc/inox.profile b/etc/inox.profile index 6273c4de6..ec8d12387 100644 --- a/etc/inox.profile +++ b/etc/inox.profile
@@ -24,3 +24,7 @@ include /etc/firejail/whitelist-common.inc
24	netfilter	24	netfilter
25	nodvd	25	nodvd
26	notv	26	notv
		27	nogroups
		28	noroot
		29	shell none
		30	caps.keep sys_chroot,sys_admin \ No newline at end of file


diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index a1a5f957c..10c2909a0 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile
@@ -26,5 +26,5 @@ private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvda
26	private-dev	26	private-dev
27	#private-etc fonts,alternatives,X11,pulse,passwd	27	#private-etc fonts,alternatives,X11,pulse,passwd
28		28
29	noexec ${HOME}	29	#noexec ${HOME}
30	noexec /tmp	30	noexec /tmp


diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 8d05a557c..9acdc3789 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile
@@ -27,6 +27,7 @@ protocol unix,inet,inet6
27	seccomp	27	seccomp
28	shell none	28	shell none
29	tracelog	29	tracelog
		30	net none
30		31
31	private-dev	32	private-dev
32		33


diff --git a/etc/natron.profile b/etc/natron.profile index d77539d83..b76649605 100644 --- a/etc/natron.profile +++ b/etc/natron.profile
@@ -26,6 +26,7 @@ notv
26	protocol unix,inet,inet6	26	protocol unix,inet,inet6
27	seccomp	27	seccomp
28	shell none	28	shell none
		29	net none
29		30
30	private-bin natron,Natron,NatronRenderer	31	private-bin natron,Natron,NatronRenderer
31		32


diff --git a/etc/openshot-qt.profile b/etc/openshot-qt.profile new file mode 100644 index 000000000..02f4665d6 --- /dev/null +++ b/etc/openshot-qt.profile
@@ -0,0 +1,31 @@
		1	# Firejail profile for openshot
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/openshot.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ${HOME}/.openshot
		9	noblacklist ${HOME}/.openshot_qt
		10
		11	include /etc/firejail/disable-common.inc
		12	include /etc/firejail/disable-devel.inc
		13	include /etc/firejail/disable-passwdmgr.inc
		14	include /etc/firejail/disable-programs.inc
		15
		16	caps.drop all
		17	netfilter
		18	nodvd
		19	nogroups
		20	nonewprivs
		21	noroot
		22	notv
		23	protocol unix,inet,inet6,netlink
		24	seccomp
		25	shell none
		26
		27	private-dev
		28	private-tmp
		29
		30	noexec ${HOME}
		31	noexec /tmp


diff --git a/etc/pinta.profile b/etc/pinta.profile new file mode 100644 index 000000000..2562e1b80 --- /dev/null +++ b/etc/pinta.profile
@@ -0,0 +1,33 @@
		1	# Firejail profile for krita
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/krita.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	include /etc/firejail/disable-common.inc
		9	include /etc/firejail/disable-devel.inc
		10	include /etc/firejail/disable-passwdmgr.inc
		11	include /etc/firejail/disable-programs.inc
		12
		13	caps.drop all
		14	ipc-namespace
		15	net none
		16	nodvd
		17	nogroups
		18	nonewprivs
		19	noroot
		20	nosound
		21	notv
		22	novideo
		23	protocol unix
		24	seccomp
		25	shell none
		26
		27	private-dev
		28	private-tmp
		29
		30
		31	whitelist ~/.config/Pinta
		32	noexec ${HOME}
		33	noexec /tmp


diff --git a/etc/scribus.profile b/etc/scribus.profile index dd06fa59f..a6e86a7d6 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile
@@ -36,6 +36,7 @@ notv
36	novideo	36	novideo
37	protocol unix	37	protocol unix
38	seccomp	38	seccomp
		39	net none
39	tracelog	40	tracelog
40		41
41	#private-bin scribus,gs	42	#private-bin scribus,gs


diff --git a/etc/shotcut.profile b/etc/shotcut.profile index e30bc1f46..4e8b1da05 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile
@@ -27,5 +27,5 @@ shell none
27	#private-bin shotcut,melt,qmelt,nice	27	#private-bin shotcut,melt,qmelt,nice
28	private-dev	28	private-dev
29		29
30	noexec ${HOME}	30	#noexec ${HOME}
31	noexec /tmp	31	noexec /tmp


diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index b0014ace6..1758659f2 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile
@@ -25,8 +25,9 @@ novideo
25	protocol unix	25	protocol unix
26	seccomp	26	seccomp
27	shell none	27	shell none
		28	net none
28		29
29	#private-bin synfigstudio	30	#private-bin synfigstudio,synfig,ffmpeg
30	private-dev	31	private-dev
31	private-tmp	32	private-tmp
32		33


diff --git a/etc/tar.profile b/etc/tar.profile index f14894c25..6ac530b15 100644 --- a/etc/tar.profile +++ b/etc/tar.profile
@@ -18,6 +18,7 @@ notv
18	novideo	18	novideo
19	shell none	19	shell none
20	tracelog	20	tracelog
		21	caps.drop all
21		22
22	# support compressed archives	23	# support compressed archives
23	private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop	24	private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop


diff --git a/etc/unrar.profile b/etc/unrar.profile index 12559a721..881572521 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile
@@ -18,6 +18,7 @@ notv
18	novideo	18	novideo
19	shell none	19	shell none
20	tracelog	20	tracelog
		21	caps.drop all
21		22
22	private-bin unrar	23	private-bin unrar
23	private-dev	24	private-dev


diff --git a/etc/unzip.profile b/etc/unzip.profile index 9828fa9b4..f913385fb 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile
@@ -18,6 +18,7 @@ notv
18	novideo	18	novideo
19	shell none	19	shell none
20	tracelog	20	tracelog
		21	caps.drop all
21		22
22	private-bin unzip	23	private-bin unzip
23	private-dev	24	private-dev